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[57] ABSTRACT 

Ametliod for loading secret data, such as an application k&y, 
on a smart card (6), which involves storing a random icey on 
the card (6). encrypting the random key on die basis of a 
public key. and providing the encrypted random key to a 
central processing station (4). The encrypted random key is 
decrypted at the central station on the basis of a secret key. 
and the station (4) encrypts data on the basis of the random 
key and transmits it to die smart card (6). The smart card 
decrypts the encrypted data oo the basis of the random key. 
The random key can be generated internally and stored on 
read protected memory (23) of the card (6). The public key 
encrypting and seact key decrypting steps may be based on 
the RSA algorithm, using a small encryption exponent. 
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CRYPTOGRAPHIC COMMUNICATIONS 
METHOD AND SYSTEM 

The present invention relates to a cryptographic method 
and system and, in paiticuiar to a smart card and method of 
initialising a smart card. 

Ciyptographic techniques are used to encrypt and 
decrypt sensitive communications between two terminals. A 
particular problem exists in ensuring secure communica- 
tions between aedit cards and a central processing station, 
or host, and the problem becomes more acute with respect 
to smart cards which are intended to transmit and receive 
sensitive data. Conventional encryption techniques require 
tiiat tttc smart card have a secret key before any sensitive 
data can be loaded onto the card. Present solutions for smart 
cards are usually based around one of two techniques. The 
first involves loading the card with secret information 
through a physicaUy secure coimnunications channel, which 
unfortunately is not always practicaL The second technique 
involves relying on the card manufacturer to place an initial 
secret key on Che card, and the card owner then uses the 
seaet key to load the sensitive data required for card 
q)plications. Unfortunately, the card manufacturer then has 
at its disposal all of the information necessary to decipher 
conununicatioDs with the card and to recover any secret 
information loaded on the card. 

European patent publication 1383S6 describes a system 
for smart card communication with a host where the encryp- 
tion and decryption keys are generated internally by the card 
and the host on the basis of a random number generated by 
the host and a pre-assigned code number PN allocated to the 
card. The system, however, again suffers from tide disad- 
vantage that the pre-assigned code number needs to be 
stored in the card on manufacture or else it must be placed 
on the card in a physically secure eDvirooment If the 
pre-assigned code number PN cannot be transferred in a 
physically secure environment, then there is a risk it may 
become known to someone other than an authorised user. 
The card could then be used in an unauthorised manner by 
sinqily providing an appropriate random number to the card, 
once the PN and logic used to generated the encryption key 
arc known. It is therefore advantageous to provide a system 
which could be used for smart cards, and which docs not 
require any third party to be provided with information from 
which an encryption key can be sinq^ly derived or a secure 
environment within which a pre-assigned code number must 
be transferred. 

Most encryption techniques use a key which is generally 
a large number on which the encryption and decryption 
processes are based. Public key encryption techniques, 
where the transmitting terminal employs a public key to 
encrypt the transmitted data, and the receiving terminal uses 
a secret key to decrypt the data, have been found to be 
particularly advantageous. Data can be readily encrypted 
without requiring a secret key, yet encrypted communica- 
tions cannot be intercepted and then decrypted without 
knowledge of the secret key. The secret key needs to be such 
that it is related to the public key but cannot be efficiently 
derived from the public key. An encryption method which 
uses such a public key and secret key technique is known as 
the RSA method, and is described in U.S. Pat No. 4,405, 
829. According to the RSA method, a message M is 
encrypted into ciphertext C using the following: 

C)=M*(niod n) 

where n^.q, p and q are prime numbers and e is a number 
relatively prime to (p-lXq-1)- The message, or plaintext, is 
reconstructed from the transmitted cQ)hertext using the 
following: 
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where d is determined from p,q and e by the following 
relationsh^): 

5 ed=l (mod (1 cm (p-lMq-1))) 

1 cm being the acronym for least common multiple. The 
exponent c and the modulus n are used as the public key and 
the primes p and q and exponent d arc kept secret and 
constitute the secret key. Provided n is made sufficiently 
large, such as 512 bits, the primes cannot be efficiently 
determined from n. The RSA mediod, however, is con^- 
tationally intensive and is primarily suitable for powerful 
processing systems. 
^5 Public key techniques or algorithms, being computatioQ- 
aliy intensive have been considered too slow to execute and 
requiring too much memory in order to be practical for use 
on smart cards without additional specialised hardware. 
Most smart cards have very limited memory for both data 
2Q and program storage, and en^>loy oiicroprocessors, such as 
8 bit microprocessor, which are very slow compared with 
more powerful processors employed in personal computers 
and computer workstations. Many smart card {plications 
require all of the program memory available on the card, and 
25 as much memory as possible for data, which renders per- 
manent hardware and software iiiq>lementations of public 
key algorithms inqnactical. 

The present invention provides a cryptographic commu- 
nications method comprising: 
30 storing a random key on a smart card; 

encrypting said random key on the basis of a public key 
and providing the encrypted random key to a central 
processing station; 
decrypting said encrypted random key at said central 
33 station on the basis of a secret key; 

encrypting data on the basis of said random key and 
transmitting the encrypted data from said central station 
to said smart card; and 
decrypting the encrypted data at said smart card on the 
^ basis of said random key. 

The present invention also provides a conmumications 
system comprising smart card means and a central process- 
ing station, said smart card means including: 
^5 means for storing a random key on a smart card. 

means for encrypting said random key on the basis of a 

public key, and 
means for decrypting data encrypted on the basis of said 
random key; and 
50 said central station including: 

means for decrypting the encrypted random key on the 

basis of a secret key, and 
means for encrypting data on the basis of said random key 
and transmitting the encrypted data to said smart card. 
55 The present invention further provides a method of ini- 
tialising a smart card comprising: 
generating a random key; 

storing said random key in a memory area of said smart 
^ card which is not externally addressable; 

encrypting said random key on the basis of a public key; 
providing a central processing station with the encrypted 
random key; 

decrypting said encrypted random key at said central 
65 station on the basis of a secret key; 

encrypting secret data at said central station on the basis 
of said random key; 
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transmitting the encrypted secret data to said smart card; 
and 

decrypting said encrypted secret data at said smart card on 

the basis of said random key. 
The present invention also provides a snaart card com- 
prising: 

read protected memory for storing a random key and a 
public key; 

means for encrypting said random key on the basis of said 

public key; and 
means for decrypting encrypted data on the basis of said 

random key. 

A preferred embodiment of the present invcntioD is here- 
inafter described with reference to the accompanying 
drawing, wbexein: 

FIG. 1 is a block diagram of a jrcferred coimnunication 
system according to the present invention. 

A communications system 2, as shown in FIG. 1* includes 
a key geoeratioD centre 4 and a smart card 6. The key 
generation centre (KGC) 4 is a central host station and 
includes a processing system 8 connected to a memory 
storage unit 10. The KGC may be impleanented by a 
personal con5>utcr 9. The jMrocessing unit 8 is adapted to be 
connected to the smart card 6 by a public switched telecom- 
munications network (PSTN) 12 oo a telecommunications 
line 14. The KGC 4 stores in the unit 10 information on all 
of the smart cards 6 which can be coimectcd to the process- 
ing system 8. and the information is stewed with reference to 
the serial numbers of the cards 6. The smart cards 6 each 
include an 8 bit microprocessor 16, EEPROM memory 18, 
a true random nimiber generator 19, and a communications 
interface 20 for connection to the line 14 or to an interme- 
diary terminal, such as a smart card reader 21, connected to 
the line 14 and which is able to conununicate with the 
computCT 9 of the KGC 4. The EEPROM 18 includes an area 
23 erf read protected memory and another area 25 for the 
storage of code to be executed from the EEPROM 18. The 
area 25 is also preferably read protected. The read p-otectcd 
area 23 cannot be addressed by an external device. The card 
6 also includes a respective serial number stored therein. The 
card reader 21 may be part of a point-of-sale (POS) terminal. 
The card 6 and the KGC 4 may be associated with a banking 
system or a mobile telecommunications system wherein 
mobile leleconmiunications tenninats arc provided which 
can only t>c used when a smart card 6 with appropriate 
authenticating data is inserted in a terminal. 

The computer 9 of the KGC 4 and tiie smart card 6 indude 
software to compute a Mont_power function defined as 
follows: 

MDiit_powet<*^6,in)=a*'»(r*)f*^*>(inod m) 

where in the preferred implementation R=5 12. The exponent 
b for encryption on the smart card 6 is selected to be srcuJl 
and equal to 3. The Mont_power function is a variation of 33 
the RSA algorithm which improves the performance and 
|HX)gram size of the RSA aigorithm by using the Montgom- 
ery modulo reduction method discussed in P. L. 
Montgomery, "Modular Multiplication without Trial 
Division*'. Mathematics of Computation, Vol. 44. No. 170, «) 
pp 519-521, April 1985, herein incorporated by reference. 
The article discusses an cfi&cicnt algcoithm for executing Ihe 
Mont_powcr function. The modulo reduction stq> can be 
incorporated in a multi-precision multiplication lo<^ to 
calculate the Mont_powcr function. The modulo reduction 65 
step involves setting least significant bits to zero and shifting 
tiie resultant bits at each miiltq)lication step. This is particu- 



larly advantageous as it removes the need to perform com- 
putationally intensive long division. 

The coiiq}ater 9 also includes software to generate the 
large composite number, m. which is difBcult to factorise 
2^"<m<?^^, from the product of two primes, p and each 
of which produces a remainder of 2 when divided by 3, Le. 
p mod 3^2, and q mod 3^2, and are such that (p-l)(q-l) 
is not divisible by 3. 

The EEPROM 18 of the smart card 6 is loaded with 
executable program code to extend the standard application 
and communications functions of the card 6 to include the 
following routines: 

1. A CI routine to generate a 5 12 bit random number, r, 
using the random number generator 19, such that 
2''^<r^m, and store r in the read protected part 23 of 
the EEPROM 18. 

2. A C2 routine to calculate and output on the communi- 
cations interface 20 x=Mont_power (r34n), which is r 
encrypted by the Mont_j>ower function using an expo- 
nent of 3. 

3. A C3 routine which inputs 512 bits of dau and 
cxdusive-ORs the data with r. and stores the result in 
the read procected area 23. The routine dicn deletes m, 
r and routines CI, C2 and C3. 

To establish the comrmmicatioas system 2. the KGC 4 
^ generates the two primes, p and q. as discussed previously, 
sudi that factcHisation of the product of p and q is infeasiblc. 
Hie pnmes arc generated for each card 6. or for a batch 22 
of cards 6 which would make the manufacturing process 
siit^icr. The KGC 4 is then able to calculate m==p-q, 4KP- 
l(q-l) and the decryption key d, where 3d=l mod f 
Plaintext z encrypted using Mont_powcr (z3 ja) can then 
be decrypted using the Mont__power function as follows: 



35 



40 



45 
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Moiit_power(MooU-pow«t(?, 3 ,m)/^ m) 



((J')*(2^y 



as Z^'^Z mod m for any integer Z. O^Z<ra 

The RSA encryption algorithm normally utilises large 
exponents, and the use of a small exponent of 3 is particu- 
larly advantageous as it enables toe smart card 6 to execute 
the public encryption function of RSA, using the Mont_ 
power function, in a reasonable amount of time with small 
program size and memory usage, notwithstanding the lim- 
ited power of the processor 16. 

The KGC 4 provides the serial numbers and the products 
m to a card manufacturer (CM) who makes a batch 22 of 
cards 6. The product m is given confidentially to die card 
manufacturer as it can be used as a basis for determining ttie 
authenticity or validity erf the card 6 during subsequent 
communications with the KGC 4 at a POS ouUet, as dis- 
cussed hereinafter. The primes p and q, <> and the secret key 
d are all kept secret and are stored m the storage unit 10 of 
the KGC 4 against a serial number of a card 6. 

The card manufacturer stores m in the read |H'Otected part 
23 of the EEPROM 18, and stores the program code, 
including the routines CI, C2 and C3, In the area 25. 
Execution of the program code may be protected by a 
requirement that a personal serial number (PIN) be provided 
for execution to occur. 

Following manufacture, the CM distributes the cards to 
the point of sale (POS) outlets where a card 6 can be sold to 
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a customer. On having sold a card 6 to a customer, it is POS outlets are still not able to obtain tlie random key r 

connected to a point of sale tenninal 21 and the card 6 without destroying the Integrity of the card 6. 

operates to execute the CI routine and generate internally a When the CM caiccutcs the routine CI and C2, they may, 

random number r. The card 6 then executes the C2 puhUc instead of being executed on the card, be executed on a 

key encryption routine and outputs x and the serial number 5 device conne^ed to the card which has a secure communi- 

to the KGC 4 on the line 14. The random number r and the cations enviroonaent with the card 6. This, of course, does 

serial number are stored at die KGC 4 after decrypting x signiflcanUy reduce the security of the system as the random 

using F=Mont_power (x,d,m). The KGC 4 then produces an ^ " generated on the card 6. 

mrolicatioa, master or authentication key K. as a random ; ^t"'**-* i.- - ^ , 

^□e for the card and this is transmitted ^tfi any other lO ^ ayp«og«phic communications method compnsmg: 

sensitive and secret information, such as a GSM subscriber stonng a rand<»n key on a smart card; 

identifier number for a GSM digital tdecoinmunications cnaypUng stud random key using a pubbc Iccy and 

nctwoilc to the card 6. The application key K, and the otha encrypted random key to a central pixv 

sensitive information are encrypted for transmission to the , cessing on, , ^ ^ . 

card 6 on the basis of the random number r. TTie enaypdon 13 decryp<«8 enoypted random key at said central 

technique is singly exclusive-ORingr with K, and ttieoiha stauon usu^ a secret Key, 

sensitive data to obtain dphettcxt X. m (»d « is able to '"SP^'^lT-."?^ t'^ -h"" ^ J^**"^? 

decryptxtoobuunlheap^licationkeyandtheotherdataon ^"STil 

the basis of the key r stored therein which is simply . ^ ^ . aa^ . a ^ _j • 

excluslve-ORed with X using the C3 routine, On<r&e 20 dccrypOng A e encrypted d^ 

appUcation key and the othordata been stared on the ^ TcommSiications method as daimcd in claim 1. 

card 6 and the routine C3 completed the card can be aUowed ^^^^ ^ ^ 

to leave the point of sale. The aj^Ucatlon key is used In ^ extemaUy addressable. 

^pUcations which are loaded on the smart card 6, and can 3^ communications method as claimed in claim Z 

be used as a basis for generation of session keys for 25 wherein said data includes an application key for said card, 

subsequent communications. 4. ^ conuounications method as claimed in claim 3, 

The routines CI, C2 and C3 and m and r are erased by the including generating said random key on said smart card, 

routine C3 after the authentication key and the other data has 5. A communications method as claimed in claim 4, 

been stored on the card 6 so as to advantageously allow the including deleting at least one of said random key, said 

card 6 to use the memory space previously occupied by the 30 public key, and a program code for encrypting using said 

routines and m and r. Therefore the card 6 which receives the public key, after receiving said data, 

initial secret data only needs to perform the public encryp- ti- A cononmnications method as claimed in claim 5, 

tion part of the RSA algcdthm and ttie memory used to including storing an identification number on said smart 

execute this part is recovered after the secret data is csx^^ transmitting said identification number to said central 

received. Public key cryptosystems are not conventionally 55 station, and accessing said secret key at said central station 

used in this manner. \x^% said identification number. 

The above method of sending the sensitive data from the 7. A communications method as claimed in claim 6. 

KGC 4 to the card 6 is also particularly advantageous as die including generating said public and secret keys at said 

modulus m can be given to the card manufacturer for station and storing said secret key using said identification 

placement on the card without the manufacturer gaining any 40 number. 

additional information which would assist in recovering any A communications method as claimed in claim 7. 

scaet data to be passed to the card 6. The encryption key r wherein said public and secret keys are unique for said smart 

is generated and stored internally within the c^ without card. 

requiring the key r to be divulged to any third party, such as A comnuinications method as claimed in claim 7. 

the card manufacture, the personnel at the point of sale 45 wherein said public and secret keys are unique for a batch of 

outletorthecustomer. As r is internally generated and stored smart cards. 

it can only be obtained by destroying the integrity of the card 10* A communications method as claimed in daim 7, 

5, wherein the pubic key encrypting and secret key decrypting 

Alternatively, the card manufacturer can be asked to steps conqmse an RSA based algorithm, using a modulus m 

execute the routines CI and C2 once the card has been 50 and a small enoryption exponent 

manufactured so as to store the key r in the cards prior to A communications method as claimed in claim 10, 

dispatch to POS outlets. The cipher value x produced by die wherein said exponent is three. 

routine C2 is sent to the KGC 4 with the corresponding serial 12, A comnmnications method as claimed in claim 10, 

number of each card 6. The serial numbers and correspond- including keq>ing said modulus secret and using said modu- 

ing X values of the cards 6 arc placed in a secure file which 33 lus to authenticate said smart card, 

is protected from modifications and passed to the KGC 4 for 13. A communications method as claimed in claim 10. 

storage therein. The cards 6 are then distributed, and on including using said encrypted random key to authenticate 

connecting the card 6 to a card reader 21 at a POS terminal, said smart card. 

me card 6 sends its serial number to the KGC 4. The KGC 14. A communications method as claimed in claim 10. 

4 accesses the corresponding x value on the basis of the 60 wherein said algorithm con^rises encrypting and decrypting 

serial numl>er, and decrypts the x value to obtain r using a value Z using: 

i^Mont_power (x,djn). Secrei information can then be sent r-»vc^»v 

to the card 6 by exdusivc-ORing the secret data with r, and z*»(r*/ ^mod m) 

dien receiving and decrypting the secret data using the card where b is the exponent and R is a constant. 

routine C3, as discussed previously. Information generated 65 15. A conmuinications system comprising smart card 

internally by the card 6, such as the value x, can be used to means and a central processing station, said smart card 

authenticate the card instead of the modulus m. The CM and means including: 
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means for stdiog a random bey on a smart card, 
means for cna>pting said random key using a public key; 
and 

means to decrypting data encrypted using said random ^ 

key; and said central station including: 
means for decrypting the encrypted random key using a 

scaet key, and 
means for encrypting data using said random key and 

transmitting the encrypted data to said smart card, lo 

16. A conomunications system as claimed in claim 15, 
wherein said storing means is not externally addressable. 

17. A communications system as claimed in claim 16. 
wherein said data includes an application key for said card, 

18. A communications system as claimed in claim 17, u 
wherein said smart card means includes means for generat- 
ing said random key on said smart card. 

19. A communications system as claimed in claim 18, 
wherein said smart card includes program code for encrypt- 
ing using said public key, wherein at least one of said 20 
ps-ogram code, said public key and said random key are 
deleted after said smart card receives said data. 

20. A communications system as claimed in claim 19, 
wherein said smart card includes an idcati&cation number, 
and meatis for transmitdng said identification number to said 25 
central station, said central station including means fcr 
accessing said secret key using said identification number. 

21. A cormnunications system as claimed in claim 20, 
wherein said central station includes means for generating 
said public and secret keys and storing said secret key using 30 
said identification number. 

22. A conomunications system as claimed in claim 21, 
wherein said public and secret keys are unique for said smart 
card, 

23. A communications system as claimed in claim 21, 35 
wherein said public and secret keys are unique for a batch of 
smart cards. 

24. A coimnunicatioDS system as claimed in claim 21, 
wherein said public key encrypting means and said scact 
key decrypting means execute an RSA based algoritlmL 40 
using a modulus m and a small encryption exponent. 

25. A communications system as claimed in claim 24, 
wherein said exponent is three. 

26. A communications system as claimed in claim 24, 
wherein said modulus is kept secret and used to authenticate 43 
said smart card. 

27. A communications system as claimed in claim 24, 
wherein said encrypted random key is used to authenticate 
said smart card. 

28. A communications system as claimed in claim 24, 50 
wherein said algorithm oomprises encrypting and decrypting 
a value Z using: 

Z»«(r*)(*^'^(inod m) 



where b is the exponent and R is a constant. 

29. A method of initializing a smart card con^>rising: 
generating a random key; 

storing said random key in a memory area of said smart 

card which is not externally addressable; 
encrypting said random key using a public key; 
providing a central processing station with the encrypted 
random key; 

decrypting said encrypted random key at said central 

station using a secret key; 
encrypting secret data at said central station using said 
rand(»n key; 

transmitting the encrypted seact data to said smart card; 
and 

decrypting said encrypted secret data at said smart card 
using said random key. 

30. A method as claimed in claim 29, wherein said secret 
data includes an application key for said smart card. 

31. A method as claimed in claim 30, wherein said random 
key is generated on said card. 

32. A method as claimed in daim 30, including deleting 
at least one of said random key, said public key and a 
program code for encrypting using said public key from said 
smart card after recdving said secret data. 

33. A method as claimed in daim 30, including generating 
said puUic and secret keys for said smart card at said central 
station. 

34. A m^od as claimed in claim 30, wherein said public 
key encrypting and secret key decrypting steps comprise a 
Montgomery modulo reduced RSA based algorittun, using a 
modulus m and a small encryption exponent 

35. A smart card conqxrising: 

read protected memory for storing a random key and a 
public key; 

means for encrypting said random key using said public 
key; and 

means for decrypting encrypted data using said random 
key. 

36. Asmart card as claimed in claim 35, wherein said data 
indudcs an (plication key. 

37. A smart card as claimed in claim 35, Including means 
for generating said random key. 

38. A smart card as claimed in claim 35, including means 
for deleting at least one of said random key and said public 
key and a program code for encrypting using said public key 
after receiving said data. 

39. A smart card as claimed in daim 35. wherein said 
means for encrypting executes a puldic key component of a 
Montgomery modulo reduced RSA based algorithnL using a 
modulus m and a small encryption exponent 
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